Forum Discussion

SiddharthRajD's avatar
SiddharthRajD
Copper Contributor
Feb 01, 2022

Parse string in Azure Sentinel

Hello, we want to parse out the "subscription ID" as a field from the following string. Please let me know how can I do that?

 

Column Namestring

privateLinkServiceId_

/subscriptions/"SubsriptionID"/resourceGroups/"RG-Name"/providers/Microsoft.Storage/storageAccounts/"Name"

 

Existing query  ( please suggest what needs to be appended) :

 

AzureActivity | search "entity"
| extend privateLinkServiceId_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).privateLinkServiceConnections))[0].properties)).privateLinkServiceId)

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    SiddharthRajD 

     

    AzureActivity 
    | extend entity_ = tostring(parse_json(Properties).entity)
    | where isnotempty(entity_)
    | parse entity_ with * '/subscriptions/' subscription_ '/' *
    | project subscription_

    However SubscriptionId is already a column in that Table, so you can just do 

    AzureActivity
    | extend entity_ = tostring(parse_json(Properties).entity)
    | where isnotempty(entity_)
    | project SubscriptionId


     

Resources